Methods and systems for controlling access to custom objects in a database

US 10,410,013 B2
Filed: 05/20/2016
Issued: 09/10/2019
Est. Priority Date: 10/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, from a requester, a request for a custom object of a custom object type from a custom object share table of a database, and an identifier corresponding to the requester; and

performing, in a single access to the custom object share table, and responsive to the request;

identifying in the custom object share table a group and a tenant to which the identifier corresponding to the requester belongs,determining, from one or more custom object types implicitly associated by the custom object share table with the group, whether the group has access to the custom object based on the custom object type of the custom object, andaccessing and returning the custom object from the custom object share table based on the tenant and the custom object type.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments, methods and systems for controlling access to custom objects are provided. These techniques for controlling access to custom objects can enable embodiments to utilize a key for the protection of the security of data that is to remain private while not compromising efficiency of a query. The key for a requested custom object is identified and then used so that only an appropriate portion of a custom entity share table is searched to locate access information. It is then determined whether the user can access at least a portion of the custom object, and the appropriate and allowed data is sent to the user.

235 Citations

20 Claims

1. A method, comprising:
- receiving, from a requester, a request for a custom object of a custom object type from a custom object share table of a database, and an identifier corresponding to the requester; and
  
  performing, in a single access to the custom object share table, and responsive to the request;
  
  identifying in the custom object share table a group and a tenant to which the identifier corresponding to the requester belongs,determining, from one or more custom object types implicitly associated by the custom object share table with the group, whether the group has access to the custom object based on the custom object type of the custom object, andaccessing and returning the custom object from the custom object share table based on the tenant and the custom object type.

2. A system, comprising:
- one or more processors coupled to memory storing computer instructions that, when executed on the one or more processors, implement actions including;
  
  receiving, from a requester, a request for a custom object of a custom object type from a custom object share table of a database, and an identifier corresponding to the requester; and
  
  performing, in a single access to the custom object share table, and responsive to the request;
  
  identifying in the custom object share table a group and a tenant to which the identifier corresponding to the requester belongs,determining, from one or more custom object types implicitly associated by the custom object share table with the group, whether the group has access to the custom object based on the custom object type of the custom object, andaccessing and returning the custom object from the custom object share table based on the tenant and the custom object type.

3. A non-transitory machine-readable storage medium storing a plurality of instructions for programming one or more processors, the one or more instructions, when executed on the processors, implementing actions including:
- receiving, from a requester, a request for a custom object of a custom object type from a custom object share table of a database, and an identifier corresponding to the requester; and
  
  performing, in a single access to the custom object share table, and responsive to the request;
  
  identifying in the custom object share table a group and a tenant to which the identifier corresponding to the requester belongs,determining, from one or more custom object types implicitly associated by the custom object share table with the group, whether the group has access to the custom object based on the custom object type of the custom object, andaccessing and returning the custom object from the custom object share table based on the tenant and the custom object type.

4. A computer-implemented method, comprising:
- receiving, from a requester, a request for a custom object of a custom object type from a custom object share table of a database, and an identifier corresponding to the requester;
  
  determining, for a first query plan, a first result size comprising a number of rows of the custom object share table filtered by the identifier corresponding to the requester, wherein the first query plan then filters on a property of the custom object;
  
  determining, for a second query plan, a second result size comprising a number of rows of the custom object share table filtered on the property of the custom object, wherein the second query plan then filters by the identifier corresponding to the requester;
  
  choosing, based upon the request, a resultant query plan between accessing the custom object share table from a user side of the custom object share table by the first query plan using the identifier corresponding to the requester when the first result size is smaller than the second result size, or from an object side of the custom object share table by the second query plan using the filter on the property of the custom object when the second result size is smaller than the first result size;
  
  executing a query comprising the resultant query plan, wherein filtering by the identifier corresponding to the requester comprises identifying in the custom object share table a group to which the identifier corresponding to the requester belongs and determining whether the group has access to the custom object based on the custom object type of the custom object; and
  
  responsive to the user request, returning the custom object from the custom object share table based on the group and the custom object type of the custom object.
- View Dependent Claims (5, 6, 7, 15, 16)
- - 5. The method of claim 4, further including storing one or more fields for a tenant identifier and an object type in the custom object share table.
  - 6. The method of claim 4, further including storing one or more fields for a tenant identifier and an object type in a custom object access table that is linked to the custom object.
  - 7. The method of claim 4, wherein executing the query comprises accessing the custom object using a key prefix.
  - 15. The method of claim 4, wherein determining the first result size and determining the second result size comprises estimating a number of rows of the custom object share table accessible to the requester based on a role associated with the identifier corresponding to the requester.
  - 16. The method of claim 15, wherein estimating the number of rows of the custom object share table accessible to the requester based on the role comprises determining a number of records in the custom object share table owned by the requester and any subordinates of the requester.

8. A system including one or more processors coupled to memory storing computer instructions, which instructions, when executed on the one or more processors, implement actions comprising:
- receiving, from a requester, a request for a custom object of a custom object type from a custom object share table of a database, and an identifier corresponding to the requester;
  
  determining, for a first query plan, a first result size comprising a number of rows of the custom object share table filtered by the identifier corresponding to the requester, wherein the first query plan then filters on a property of the custom object;
  
  determining, for a second query plan, a second result size comprising a number of rows of the custom object share table filtered on the property of the custom object, wherein the second query plan then filters by the identifier corresponding to the requester;
  
  choosing, based upon the request, a resultant query plan between accessing the custom object share table from a user side of the custom object share table by the first query plan using the identifier corresponding to the requester when the first result size is smaller than the second result size, or from an object side of the custom object share table by the second query plan using the filter on the property of the custom object when the second result size is smaller than the first result size;
  
  executing a query comprising the resultant query plan, wherein filtering by the identifier corresponding to the requester comprises identifying in the custom object share table a group to which the identifier corresponding to the requester belongs and determining whether the group has access to the custom object based on the custom object type of the custom object; and
  
  responsive to the user request, returning the custom object from the custom object share table based on the group and the custom object type of the custom object.
- View Dependent Claims (9, 10, 11, 17, 18)
- - 9. The system of claim 8, the actions further comprising storing one or more fields for a tenant identifier and an object type in the custom object share table.
  - 10. The system of claim 8, the actions further comprising storing one or more fields for a tenant identifier and an object type in a custom object access table that is linked to the custom object.
  - 11. The system of claim 8, wherein executing the query comprises accessing the custom object using a key prefix.
  - 17. The system of claim 8, wherein determining the first result size and determining the second result size comprises estimating a number of rows of the custom object share table accessible to the requester based on a role associated with the identifier corresponding to the requester.
  - 18. The system of claim 17, wherein estimating the number of rows of the custom object share table accessible to the requester based on the role comprises determining a number of records in the custom object share table owned by the requester and any subordinates of the requester.

12. A non-transitory computer readable storage medium impressed with computer program instructions, which instructions, when executed on one or more processors, implement a method comprising:
- receiving, from a requester, a request for a custom object of a custom object type from a custom object share table of a database, and an identifier corresponding to the requester;
  
  determining, for a first query plan, a first result size comprising a number of rows of the custom object share table filtered by the identifier corresponding to the requester, wherein the first query plan then filters on a property of the custom object;
  
  determining, for a second query plan, a second result size comprising a number of rows of the custom object share table filtered on the property of the custom object, wherein the second query plan then filters by the identifier corresponding to the requester;
  
  choosing, based upon the request, a resultant query plan between accessing the custom object share table from a user side of the custom object share table by the first query plan using the identifier corresponding to the requester when the first result size is smaller than the second result size, or from an object side of the custom object share table by the second query plan using the filter on the property of the custom object when the second result size is smaller than the first result size;
  
  executing a query comprising the resultant query plan, wherein filtering by the identifier corresponding to the requester comprises identifying in the custom object share table a group to which the identifier corresponding to the requester belongs and determining whether the group has access to the custom object based on the custom object type of the custom object; and
  
  responsive to the user request, returning the custom object from the custom object share table based on the group and the custom object type of the custom object.
- View Dependent Claims (13, 14, 19, 20)
- - 13. The non-transitory computer readable storage medium of claim 12, implementing the method further comprising storing one or more fields for a tenant identifier and an object type in a custom object access table that is linked to the custom object.
  - 14. The non-transitory computer readable storage medium of claim 12, wherein executing the query comprises accessing the custom object using a key prefix.
  - 19. The non-transitory computer readable storage medium of claim 12, wherein determining the first result size and determining the second result size comprises estimating a number of rows of the custom object share table accessible to the requester based on a role associated with the identifier corresponding to the requester.
  - 20. The non-transitory computer readable storage medium of claim 19, wherein estimating the number of rows of the custom object share table accessible to the requester based on the role comprises determining a number of records in the custom object share table owned by the requester and any subordinates of the requester.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Weissman, Craig, Oliver, Kevin, Jasik, Benji, Doshi, Kedar
Primary Examiner(s)
Channavajjala, Srirama
Assistant Examiner(s)
Le, Jessica N

Application Number

US15/161,106
Publication Number

US 20160267294A1
Time in Patent Office

1,208 Days
Field of Search

707713
US Class Current
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 16/289   Object oriented databases

G06F 21/6227   where protection concerns t...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99939   Privileged access

Methods and systems for controlling access to custom objects in a database

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

235 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for controlling access to custom objects in a database

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

235 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links